Open danielkop opened 8 years ago
Thanks @danielkop, that's a great find. We want to protect the queue and any data field in the system.
Important to note that regardless of this possible injection, the queue WILL NOT be changed or damaged.
My suggestion - Use strong params in json. that way unknown params would be ignored
@yules It's less an issue with the unknown parameter "injectedfield", and more an issue with the fact that you can override existing fields such as the ip and timestamp.
JSON.parse({"ip" : "goodip", "ip" : "badip"}) will result in {"ip" : "badip"}
The following curl may be sent by a client:
Which will be resulted with:
and the following record in the queue: